spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible SPF machine-domain loophole???

2004-02-25 04:55:38
from [Mark] [Permanent Link] 
----- Original Message ----- 
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 11:13 AM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???


I'm sorry, I prefer not go to off-list and repeat everything.
I believe very confidently I did show it with an actual example.
It is really quite trivial:

example #2 - SPF record with SPF- softfail or neutral result

        client IP: 202.178.165.242
        HELO  winserver.com
        mail from: user(_at_)aol(_dot_)com



In each case, SPF would by pass the spoofing of the winserver.com domain.
That is not a badly configured server, but one that is maliciously
spoofing the helo domain by using our local domain, winserver.com


To say that SPF has a loophole here, because it does not check the validity
of the HELO string, is silly, really: the HELO string is simply irrelevant
in all your examples.

With an envelope-from with the AOL domain, you will get the 'neutral' policy
of AOL. That is neither a bug, nor a loophole, nor malicious spoofing. It is
simply what AOL, the domain owner, dictates what it should be: a 'neutral'.
Your domain, winserver.com, never plays into this, as the HELO string,
however bogus, is never used here.

Should AOL switch to 'fail', then I'm sure "202-178-165-242.cm.apol.com.tw"
[202.178.165.242] will not be a designated mailer. :)


example #2 - SPF record with SPF-pass result

        client IP: 207.8.214.5
        HELO  winserver.com
        mail from: user(_at_)aol(_dot_)com


Bull. Your configuration is broken. This does most certainly NOT produce a
'pass'.


example #1 - no SPF record with SPF-none result

        client IP: 1.2.3.4
        HELO  winserver.com
        mail from: user(_at_)example(_dot_)com


Yeah, well, what do you expect from a domain that does not publish SPF
records?


Thats a loophole and if SPF does not address, it forces the MTA software
to perform this check which defeats the purpose of SPF.


If SPF were a "fake HELO check" tool, then it would, indeed, be derelict in
its duty. However, SPF does something else: it authorizes an IP address to
send mail on behalf of a domain. Sometimes that requires checking the HELO
string; and sometimes it does not. In both cases, however, as in your above
examples, does SPF perform flawlessly.

Cheers,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Why keep people thinking HELO checks provide a loophole?, David Woodhouse
Next by Date:  Re: MS-Caller-ID to SPF converter (cid2spf.pl), Ernesto Baschny
Previous by Thread:  Re: Possible SPF machine-domain loophole???, Hector Santos
Next by Thread:  Re: Possible SPF machine-domain loophole???, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]